From a005e3e052a4e41397e7060ad3bc8f45860e5336 Mon Sep 17 00:00:00 2001
From: James Slagle <jslagle@redhat.com>
Date: Wed, 20 Apr 2016 09:03:03 -0400
Subject: Add destination parameter to firewall rule

Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.

This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.

Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
---
 manifests/firewall/rule.pp            | 38 ++++++++++++++++++++---------------
 spec/classes/tripleo_firewall_spec.rb |  7 ++++++-
 2 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 02afbc2..ca9c6d0 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -47,29 +47,35 @@
 #  (optional) The chain associated to the rule.
 #  Defaults to 'INPUT'
 #
-# [*extras*]
+# [*destination*]
+#  (optional) The destination cidr associated to the rule.
+#  Defaults to undef
+#
+#  [*extras*]
 #  (optional) Hash of any puppetlabs-firewall supported parameters.
 #  Defaults to {}
 #
 define tripleo::firewall::rule (
-  $port    = undef,
-  $proto   = 'tcp',
-  $action  = 'accept',
-  $state   = ['NEW'],
-  $source  = '0.0.0.0/0',
-  $iniface = undef,
-  $chain   = 'INPUT',
-  $extras  = {},
+  $port        = undef,
+  $proto       = 'tcp',
+  $action      = 'accept',
+  $state       = ['NEW'],
+  $source      = '0.0.0.0/0',
+  $iniface     = undef,
+  $chain       = 'INPUT',
+  $destination = undef,
+  $extras      = {},
 ) {
 
   $basic = {
-    'port'    => $port,
-    'proto'   => $proto,
-    'action'  => $action,
-    'state'   => $state,
-    'source'  => $source,
-    'iniface' => $iniface,
-    'chain'   => $chain,
+    'port'        => $port,
+    'proto'       => $proto,
+    'action'      => $action,
+    'state'       => $state,
+    'source'      => $source,
+    'iniface'     => $iniface,
+    'chain'       => $chain,
+    'destination' => $destination,
   }
 
   $rule = merge($basic, $extras)
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 7d1d1ec..aa5d1d7 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -73,7 +73,8 @@ describe 'tripleo::firewall' do
           :manage_firewall     => true,
           :firewall_rules => {
             '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
-            '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
+            '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
+            '302 fwd custom cidr 1'        => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'}
           }
         )
       end
@@ -90,6 +91,10 @@ describe 'tripleo::firewall' do
           :action => 'accept',
           :state  => ['NEW'],
         )
+        is_expected.to contain_firewall('302 fwd custom cidr 1').with(
+          :chain   => 'FORWARD',
+          :destination  => '192.0.2.0/24',
+        )
       end
     end
 
-- 
cgit 1.2.3-korg